NSO Group Ordered to Pay $167M Over WhatsApp Spyware Attack

11

A Landmark Verdict in the Battle Against Spyware

The legal saga, which began in the Northern California District Court in October 2019, has reached a defining conclusion. Meta, the parent company of WhatsApp, initiated the lawsuit after discovering that NSO Group had leveraged its servers to infect the devices of journalists, human rights activists, and government officials with the Pegasus spyware. As reported by Security.nl, the federal jury’s decision to award USD167 million in damages follows a previous court finding from December 2024 that held the spyware maker liable for the unauthorized access to user infrastructure. For years, the surveillance industry has operated behind a veil of corporate secrecy. However, this case has peeled back that layer. Legal documents unsealed during the proceedings provided a rare, granular view of the company’s internal operations. According to reporting from Amnesty International, these documents established that NSO Group is the entity that directly “installs and extracts” data from targeted devices, effectively debunking the company’s long-standing narrative that it merely provides the software to government clients without participating in the exploitation process.

Implications for Global Human Rights

The impact of this ruling extends far beyond the financial penalty. Advocacy groups have framed the verdict as a turning point for the digital rights movement. Rebecca White, a researcher on targeted surveillance at Amnesty International, described the outcome as a “momentous win in fight against spyware abuse.” For those who have been targeted by Pegasus—a tool capable of intercepting communications from platforms ranging from Gmail and Telegram to WeChat and Skype—this judgment serves as a form of judicial validation.

“This decision should serve as a wake-up call to governments to take proactive, concrete steps to regulate the surveillance industry, to enforce safeguards on their surveillance practices, and to comprehensively ban tools that are inherently incompatible with human rights obligations and standards, such as Pegasus.”

Rebecca White, Amnesty International researcher on targeted surveillance, via Amnesty International

The broader surveillance community, including experts from Citizen Lab, has noted that the disclosure of NSO’s internal court statements offers an unprecedented look into their exploit development and financial operations. As Amnesty International Netherlands highlights, the hope among activists is that the financial weight of this judgment will create a deterrent effect for the company’s investors and future government customers. Meta has already signaled that it intends to donate the awarded damages to digital rights organizations currently working to shield vulnerable populations from such surveillance.

NSO Group’s Response and Future Legal Outlook

Despite the severity of the verdict, NSO Group remains defiant. In response to inquiries regarding the jury’s decision, the company maintained its position that its products are vital for national security. A company spokesperson told AFP that they plan to “carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal.” The company’s defense centers on the argument that its “technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies.” This position, however, stands in stark contrast to the findings of the court, which has already established the company’s role in the unauthorized targeting of users since at least 2016. As the industry looks toward the next 30 days, the focus will likely shift to how NSO Group structures its appeal and whether the precedent set in this California court will influence ongoing litigation elsewhere. With the technical capabilities of Pegasus exposed and a significant financial penalty now on the record, the normalization of invasive spyware as a state-sanctioned tool faces its most serious challenge to date. For victims and civil society, the signal is clear: the era of acting with perceived impunity is closing.